Security policies are typically designed and enforced at upper levels of a protocol stack. For example, a device may include an agent running within an operating system (OS) layer of the device to block security breaches such as running applications that an organization has banned, accessing confidential data that the end-user is not authorized to access, and so forth.
The development of virtualization technologies such as virtual machine environments and container environments has made it relatively easy to bypass agent-level enforcement. The ease with which these virtual environments can be created in order to thwart agent-level policy enforcement exposes the organization to both internal and external threats. For example, an employee end-user may create a virtual machine, and withhold installing the agent-level policy enforcer in the newly created virtual machine so that a banned application may be installed.
An organization may have invested a great amount of time and resources to develop many dozens, hundreds, or even thousands of agent-level security policies. Nonetheless, such security policies may be rendered ineffective from the threat posed by virtualization and container technology.
There is a need for improved systems and techniques for policy enforcement techniques that are not so easily bypassed, are cost-effective, and allow an organization to recoup its investment spent developing agent-level security policies.
The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.